Audit of USAID/West Bank and Gaza's Partner Vetting and Geo-Management Information Systems

USAID/West Bank and Gaza provide training to the system administrators of the Partner Vetting System, Partner Vetting System Nongovernmental Organization Portal and Geo-Management Information
System on information system security and security requirements for federal information
systems.

USAID/West Bank and Gaza implement a comprehensive identification and authentication policy and procedures for the Geo-Management Information System to comply with the guidance of National Institute for Standards and Technology Special Publication 800-53.

USAID/Office of Security implement procedures to conduct and document periodic risk assessments for the Partner Vetting System Nongovernmental Organization Portal to comply with the guidance of National Institute for Standards and Technology Special Publication 800-53.

Following the implementation of the identification and authentication policy and procedures for the Geo-Management Information
System, we recommend that USAID/West Bank and Gaza implement procedures to conduct periodic reviews and document the review results to comply with the guidance of National Institute for Standards and Technology Special Publication
800-53.

USAID/West Bank and Gaza incorporate authenticator management controls in the Geo-Management Information System to enforce minimum password complexity, minimum number of changed characters when new passwords are created, encrypted representations of passwords for storage and transmission, password minimum and maximum lifetime restrictions, rules governing recycling of passwords, and the use of a temporary password for system log-ons with an
immediate change to a permanent password, in compliance with National Institute for Standards and Technology Special Publication 800-53.

USAID/Office of Security incorporate authenticator management control in the Partner Vetting System Nongovernmental Organization Portal to enforce minimum password lifetime
parameters for user accounts to comply with National Institute for Standards and Technology Special Publication 800-53.

USAID/West Bank and Gaza implement controls in the Geo-Management Information System so the system does not retain user log-ons after it terminates a communication session.

USAID/West Bank and Gaza use a secure session for transmitting data from its implementing partners.

USAID/West Bank and Gaza, in coordination with USAID/Office of Security, implement necessary changes to the Partner Vetting System Nongovernmental Organization Portal to eliminate
restrictions on age limits in the birth date fields in the Partner Information Form and allowing changes made to be reflected in the form.

USAID/West Bank and Gaza review and document the frequency and level of certification required by the contracting officer's representatives and agreement officer's representatives in the Geo-
Management Information System.

USAID/West Bank and Gaza implement a policy to periodically validate contracting officer's representatives and agreement officer's representatives compliance with Geo-Management
Information System certification requirements.

USAID/West Bank and Gaza prepare a written security assessment of the Geo-Management Information System in accordance with National Institute for Standards and Technology Special Publication 800-53.

Based on the results of the security assessment, we recommend that USAID/West Bank and Gaza document its plan of action and milestones for the Geo-Management Information System in accordance with National Institute for Standards and Technology Special Publication 800-53.

USAID/Office of Security update the Partner
Vetting System Nongovernmental Portal plan of action and milestones to include estimated completion dates for its established milestones.

Once the estimated completion dates are in the Partner Vetting System Nongovernmental Portal's plan of action and milestones, we recommend that
USAID/Office of Security conduct periodic reviews and document updates of actions taken to address any security control weaknesses by the completion dates.

USAID/West Bank and Gaza obtain a certified authorization to operate the Geo-Management Information System from the Agency's Chief Information Security Officer in accordance with Automated Directives System 545.

USAID/West Bank and Gaza implement a security plan in accordance with National Institute for Standards and Technology Special Publications 800-53 and 800-18 for the Geo-Management Information System.